Earlier this month, credit reporting company Equifax disclosed that hackers had accessed the names and social security numbers of approximately 143 million of its US customers.
No one wants to be the next Equifax and it’s a safe bet that at this very moment big and small businesses across the country are scrambling to bolster their cyber fortifications.
It’s not an easy feat. But Steve Martino, chief information security officer at Cisco, has developed some clever techniques through years of fighting the bad guys.
Cisco employees are constantly kept on their toes as Martino probes them for weak spots and drills a defensive mindset into them.
Martino sat down with Business Insider to share some of his key tactics for creating an organisation that won’t become the victim of the next big cyber attack. Here’s what he recommends:
Get the latest Cisco stock price here.
In online business, big click-through rates are great: it means customers are clicking on links and web pages to buy stuff.
Inside a company though, high click-through rates can be deadly as a daily barrage of phishing emails and other nefarious tricks try to entice susceptible employees into clicking a dangerous link.
Martino sends out fake phishing emails to Cisco's entire staff every quarter. Anyone who clicks on the phishing link is brought to an employee training video to teach them how to avoid engaging with suspicious emails in the future. The method works because it helps every employee understand their role in protecting their company against attacks.
'We've been able to reduce our click through rates by over 60% by giving them that training,' Martino says.
It's extremely difficult to protect against every possible method of intrusion, so it's best to focus on protecting the most important data. Figure out which customer and company data is most sensitive, as well as which portals of entry are most vulnerable, Martino advises.
'If you don't know what your key things are, you're trying to protect everything and you probably protect nothing,' he says.
Expect that attackers will get through some of the time and actively seek out the intruders.
'You have to recognise that in today's interconnected world, no matter how much you deploy, mistakes will happen,' Martino says. From employees that click on phishing emails, to programmers that build buggy software, human mistake is often at the heart of security.
'Hackers are dedicated, and well funded adversaries, and they're going to find errors in software,' says Martino.
Because of this, it's vital that security teams actively look for existing breaches.
One way to do this is to look for cybersecurity software which can work together, so that when something goes wrong at one point in the security process, protections are in place to prevent it from going any further.
Every student and office worker knows how to get out of the building fast if there's an emergency. The same should be true for responding to cyber threats.
Martino recommends that management teams set up a cybersecurity playbook with defined steps that the team needs to take should their worst nightmares come to fruition.
Once the playbook is established, and roles are doled out to the staff, companies should run drills for security breaches the way that schools run drills for fires: The more a company practices, the better prepared staffers are when something does go wrong.
While a playbook is vital for the cybersecurity team, it should also include a prepared responses from other departments -- especially the communications team.
Most states have security breach notification laws that require companies to disclose when consumers have been impacted by a hack. Companies also need plans for how to notify their board of directors, and other major stakeholders at the company. And don't forget to prep an apology statement to send to the press.
'If you don't have a disaster response playbook, you're going to try to make it up on the fly and make a lot of mistakes,' Martino says.